use of org.ietf.jgss.GSSContext in project druid by druid-io.
the class DruidKerberosUtil method kerberosChallenge.
/**
* This method always needs to be called within a doAs block so that the client's TGT credentials
* can be read from the Subject.
*
* @return Kerberos Challenge String
*
* @throws Exception
*/
public static String kerberosChallenge(String server) throws AuthenticationException {
kerberosLock.lock();
try {
// This Oid for Kerberos GSS-API mechanism.
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance();
// GSS name for server
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
// Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to be read from the Subject.
GSSContext gssContext = manager.createContext(serverName.canonicalize(mechOid), mechOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
// Establish context
byte[] inToken = new byte[0];
byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
gssContext.dispose();
// Base64 encoded and stringified token for server
return new String(base64codec.encode(outToken));
} catch (GSSException | IllegalAccessException | NoSuchFieldException | ClassNotFoundException e) {
throw new AuthenticationException(e);
} finally {
kerberosLock.unlock();
}
}
use of org.ietf.jgss.GSSContext in project jetty.project by eclipse.
the class SpnegoLoginService method login.
/**
* username will be null since the credentials will contain all the relevant info
*/
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
GSSName gssName = manager.createName(_targetName, null);
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
String clientName = gContext.getSrcName().toString();
String role = clientName.substring(clientName.indexOf('@') + 1);
LOG.debug("SpnegoUserRealm: established a security context");
LOG.debug("Client Principal is: " + gContext.getSrcName());
LOG.debug("Server Principal is: " + gContext.getTargName());
LOG.debug("Client Default Role: " + role);
SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
Subject subject = new Subject();
subject.getPrincipals().add(user);
return _identityService.newUserIdentity(subject, user, new String[] { role });
}
}
} catch (GSSException gsse) {
LOG.warn(gsse);
}
return null;
}
use of org.ietf.jgss.GSSContext in project OpenAM by OpenRock.
the class WindowsDesktopSSO method authenticateToken.
private void authenticateToken(final byte[] kerberosToken, final Set<String> trustedRealms) throws AuthLoginException, GSSException, Exception {
debug.message("In authenticationToken ...");
Subject.doAs(serviceSubject, new PrivilegedExceptionAction() {
public Object run() throws Exception {
GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
if (debug.messageEnabled()) {
debug.message("Context created.");
}
byte[] outToken = context.acceptSecContext(kerberosToken, 0, kerberosToken.length);
if (outToken != null) {
if (debug.messageEnabled()) {
debug.message("Token returned from acceptSecContext: \n" + DerValue.printByteArray(outToken, 0, outToken.length));
}
}
if (!context.isEstablished()) {
debug.error("Cannot establish context !");
throw new AuthLoginException(amAuthWindowsDesktopSSO, "context", null);
} else {
if (debug.messageEnabled()) {
debug.message("Context established !");
}
GSSName user = context.getSrcName();
final String userPrincipalName = user.toString();
// expected default behaviour.
if (!trustedRealms.isEmpty()) {
boolean foundTrustedRealm = false;
for (final String trustedRealm : trustedRealms) {
if (isTokenTrusted(userPrincipalName, trustedRealm)) {
foundTrustedRealm = true;
break;
}
}
if (!foundTrustedRealm) {
debug.error("Kerberos token for " + userPrincipalName + " not trusted");
final String[] data = { userPrincipalName };
throw new AuthLoginException(amAuthWindowsDesktopSSO, "untrustedToken", data);
}
}
// perform the search.
if (lookupUserInRealm) {
String org = getRequestOrg();
String userValue = getUserName(userPrincipalName);
String userName = searchUserAccount(userValue, org);
if (userName != null && !userName.isEmpty()) {
storeUsernamePasswd(userValue, null);
} else {
String[] data = { userValue, org };
debug.error("WindowsDesktopSSO.authenticateToken: " + ": Unable to find the user " + userValue);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "notfound", data);
}
}
if (debug.messageEnabled()) {
debug.message("WindowsDesktopSSO.authenticateToken:" + "User authenticated: " + user.toString());
}
if (user != null) {
setPrincipal(userPrincipalName);
}
}
context.dispose();
return null;
}
});
}
use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.
the class MechTokenMissing method main.
public static void main(String[] args) throws Exception {
GSSCredential cred = null;
GSSContext ctx = GSSManager.getInstance().createContext(cred);
String var = /*0000*/
"60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/
"30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
byte[] token = new byte[var.length() / 3];
for (int i = 0; i < token.length; i++) {
token[i] = Integer.valueOf(var.substring(3 * i, 3 * i + 2), 16).byteValue();
}
try {
ctx.acceptSecContext(token, 0, token.length);
} catch (GSSException gsse) {
System.out.println("Expected exception: " + gsse);
}
}
use of org.ietf.jgss.GSSContext in project wildfly by wildfly.
the class GSSTestClient method getName.
// Public methods --------------------------------------------------------
/**
* Retrieves the name of calling identity (based on given gssCredential) retrieved from {@link GSSTestServer}.
*
* @param gssCredential
* @return
* @throws IOException
* @throws GSSException
*/
public String getName(final GSSCredential gssCredential) throws IOException, GSSException {
LOGGER.trace("getName() called with GSSCredential:\n" + gssCredential);
// Create an unbound socket
final Socket socket = new Socket();
GSSContext gssContext = null;
try {
socket.connect(new InetSocketAddress(host, port), GSSTestConstants.SOCKET_TIMEOUT);
DataOutputStream dos = new DataOutputStream(socket.getOutputStream());
DataInputStream dis = new DataInputStream(socket.getInputStream());
LOGGER.debug("Sending NAME command.");
dos.writeInt(GSSTestConstants.CMD_NAME);
dos.flush();
GSSManager manager = GSSManager.getInstance();
gssContext = manager.createContext(manager.createName(spn, null), Constants.KERBEROS_V5, gssCredential, GSSContext.DEFAULT_LIFETIME);
// gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
gssContext.requestConf(true);
gssContext.requestInteg(true);
byte[] token = new byte[0];
while (!gssContext.isEstablished()) {
token = gssContext.initSecContext(token, 0, token.length);
if (token != null) {
dos.writeInt(token.length);
dos.write(token);
dos.flush();
}
if (!gssContext.isEstablished()) {
token = new byte[dis.readInt()];
dis.readFully(token);
}
}
token = new byte[dis.readInt()];
dis.readFully(token);
MessageProp msgProp = new MessageProp(false);
final byte[] nameBytes = gssContext.unwrap(token, 0, token.length, msgProp);
return new String(nameBytes, GSSTestConstants.CHAR_ENC);
} catch (IOException e) {
LOGGER.error("IOException occurred.", e);
throw e;
} finally {
try {
socket.close();
} catch (IOException e) {
LOGGER.error("IOException occurred", e);
}
if (gssContext != null) {
try {
gssContext.dispose();
} catch (GSSException e) {
LOGGER.error("GSSException occurred", e);
}
}
}
}
Aggregations